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Secure  Software  Operations 

■  Where  secure  development  use  cases  required  foundational 
knowledge  and  ways  to  package  it  and  understand  it  within  a 
static  context,  Secure  Software  Operations  requires  situational 
awareness  &  interpretation  of  foundational  knowledge  within  a 
dynamic  context 

■  Considering  that  secure  operations  is  a  key  element  of  overall 
software  assurance  we  need  ways  to: 

Bridge  the  secure  development  and  secure  operations  domains 

Improve  the  analysis,  characterization,  collection,  discovery  & 
knowledge  sharing  of  malware 

Combine  elements  of  the  ecosystem  as  practical  applications  to 
support  secure  software  operations 

■  This  portion  of  the  tutorial  will  focus  on  resources/efforts 
focused  at  addressing  these  three  needs 
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Secure  Software  Operations 


■  Bridge  the  secure 
development  and  secure 
operations  domains 

■  Improve  the  analysis, 
characterization,  collection, 
discovery  &  knowledge 
sharing  of  malware 

■  Combine  elements  of  the 
ecosystem  as  practical 
applications  to  support  secure 
software  operations 


Cyber  Observable  expression 
(CybOX) 


Malware  Attribute  Enumeration 
&  Characterization  (MAEC) 


Security  Content  Automation 
Protocol  (SCAP)  and  other 
Automation  Protocols 
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Bridge  the  secure  development  and 
secure  operations  domains 

Cyber  Observable  expression  (CybOX) 


The  topic  and  content  covered  in  this  presentation  was  published  as  an  article  in  the 
Sep/Oct  2010  issue  of  CrossTalk:  The  Journal  of  Defense  Software  Engineering 
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Attack  Patterns  Bridge  Secure  Development 
and  Operations 


Attack  Patterns 


Secure  Development  )  (  Secure  Operations 


MITRE 


UNCLASSIFIED 


©  2010  The  MITRE  Corporation.  All  rights  reserved 


Secure  Operations  Knowledge  Offers 

Unique  Value  to  Secure  Development 

■  Using  attack  patterns  makes  it  possible  for  the  secure 
development  domain  to  leverage  significant  value  from 
secure  operations  knowledge,  enabling  them  to: 

Understand  the  real-world  frequency  and  success  of  various 

types  of  attacks. 

Identify  and  prioritize  relevant  attack  patterns. 

Identify  and  prioritize  the  most  critical  weaknesses  to  avoid. 

Identify  new  patterns  and  variations  of  attack. 

Secure  Development  Knowledge  Offers 

Unique  Value  to  Secure  Operations 

■  Attack  patterns  enable  those  in  the  secure  operations 
domain  to  provide  appropriate  context  to  the  massive 
amounts  of  data  analyzed  to  help  answer  the  foundational 
secure  operations  questions. 
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So ,  this  all  sounds  great  but  how 
do  we  map  these  high-level  attack 
pattern  abstractions  to  the  low- 
level  operational  world? 

Cyber  Observables 

The  Secret  Sauce  for  Bridging  the  Abstract 
to  the  Concrete 
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Cyber  Observables  Overview 

■  The  Cyber  Observables  construct  is  intended  to  capture 
and  characterize  events  or  properties  that  are  observable  in 
the  operational  domain. 

■  These  observable  events  or  properties  can  be  used  to  adorn 
the  appropriate  portions  of  the  attack  patterns  in  order  to  tie 
the  logical  pattern  constructs  to  real-world  evidence  of  their 
occurrence  or  presence. 

■  This  construct  has  the  potential  for  being  the  most 
important  bridge  between  the  two  domains,  as  it  enables 
the  alignment  of  the  low-level  aggregate  mapping  of 
observables  that  occurs  in  the  operations  domain  to  the 
higher-level  abstractions  of  attacker  methodology, 
motivation,  and  capability  that  exist  in  the  development 
domain. 

■  By  capturing  them  in  a  structured  fashion,  the  intent  is  to 
enable  future  potential  for  detailed  automatable  mapping 
and  analysis  heuristics. 
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A  Brief  History  of  Cyber  Observables 


■  September  2009:  Concept  introduced  to  CAPEC  in  Version 
1.4  as  future  envisioned  adornment  to  the  structured  Attack 
Execution  Flow 

■  June  2010:  Broader  relevance  to  MSM  recognized  leading  to 
CAPEC,  MAEC  &  CEE  teams  collaborating  to  define  one 
common  structure  to  serve  the  common  needs 


■  August  2010:  Discussed  with  US-CERT  at  GFIRST  2010 

■  December  2010:  Cyber  Observables  schema  draft  v0.4 
completed 

■  December  2010:  Discussions  with  Mandiant  for 
collaboration  and  alignment  between  Cyber  Observables 
and  Mandiant  OpenlOC 


■  January  2011:  Discussed  &  briefed  with  MITRE  CSOC 


■  February  2011:  Discussed  &  briefed  with  NIST  -  EMAP  and 
US-CERT  who  also  have  a  need  for  this  construct  and  had 
begun  to  work  on  parallel  solutions 
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Simplified  Overview  of  Current  Schema 


(ObservableType~j 


3  aftojbi/tes  | 

ID 

IDREF 

Operator  | 

;  observables  Description  0 

’“observables: Keywords  I 


•  observables  Measure  [ 


observables:MeasureType 

observables :  Measure_Source  |+| 


observabl  es  Delta  “observables  Trend  | 

observables  Frequency~^| 


{“observables: 


Change  | 


observabl  es  Obfuscation_Techni  ques  Eh~j~— ~J3~|  observables  Obfuscation_Technique  |^— 

1.. 

observables  Observable  ^ 


|  Description"^ 

{  _ Observables  ^ 


Generated  by  XMLSpy 


www.altova.com 
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Cyber  Observable  Broader  Use  Cases 

■  Detect  malicious  activity  from  attack  patterns 

■  Empower  &  guide  incident  management 

■  Identify  new  attack  patterns 

■  Prioritize  existing  attack  patterns  based  on  tactical  reality 


■  Potential  ability  to  analyze  data  from  all  types  of  tools  and 
all  vendors 

■  Improved  sharing  among  all  cyber  observable  stakeholders 

■  Ability  to  metatag  cyber  observables  for  implicit  sharing 
controls 

■  Enable  automated  signature  rule  generation 

■  Enable  new  levels  of  meta-analysis  on  operational  cyber 
observables 

■  Potential  ability  to  automatically  apply  mitigations  specified 
in  attack  patterns 

■  Etc.... 
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Improve  the  analysis,  characterization, 
collection,  discovery  &  knowledge 
sharing  of  malware 


Malware  Attribute  Enumeration 
&  Characterization  (MAEC) 
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Malware  Attribute  Enumeration  and 
Characterization  (MAEC) 


■  Language  for  sharing 
structured  information 
about  malware 

-  Grammar  (Schema) 

-  Vocabulary 
(Enumerations) 

Collection  Format  (Bundle) 

■  Focus  on  attributes  and 
behaviors 

■  Enable  correlation, 
integration,  and  automation 
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MAEC  Use  Cases 


Operational 


Analysis 

Help  Guide  Analysis  Process 
Standardized  Tool  Output 
Malware  Repositories 


Tool 


I 


[CL 

¥  4nW 

^  MAEC 

,-?Sv-  '§■'  ;|v 

^Malware  Repository 

^ _ Malware  Repository _ ^ 

t 


Tool 
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MAEC  Overview 


High-level 

Mechanisms 

- * - 

■ 

■ 

■ 

■ 

e.g.  Persistence 

Mid-level 

■ 

■ 

■ 

■ 

z 

Behaviors 

- T - 

■ 

■ 

■ 

■ 

■ 

e.g.  Malicious  Binary  Instantiation  | 

Low-level 

■ 

■ 

▼ 

Abstracted 

Actions 

Semantics 

. 

. 

e.g.  Create  File:  xyz.dll  | 

. 

Implementation  Models 

e.g.  Win32  API  Call:  CreateFile(xyz.dll,...)  | 
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Dynamic  Malware  Analysis  MAEC 


Optional 


Process 

1)  An  API  call  is  captured  by  the  analysis  engine  and  mapped  to  MAEC's  enumeration  of  API 
calls. 

2)  The  MAEC  enumerated  call  is  mapped  to  its  corresponding  action. 

3)  The  MAEC  defined  action  is  mapped  to  a  corresponding  MAEC  effect  (as  necessary),  which 
is  populated  by  the  parameters  of  the  call. 

4)  The  MAEC  effect  is  linked  to  a  MAEC  object  (as  necessary). 

5)  Any  extra  data  output  (e.g.  file  attributes,  network  capture,  etc.)  from  the  analysis  engine 
is  mapped  to  its  corresponding  object  (as  necessary). 


Demonstrate  the  ability  to 
generate  MAEC  XML 
descriptions  from  dynamic 
analysis  tools 

Developed  proof-of- 
concept  translators  for: 

-  CW  Sandbox  (Sunbelt) 

-  ASAT  (MITRE) 

-  Anubis 

-  ThreatExpert 
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Test  Case:  CWSandbox  Output  ->  MAEC 


PID : 1080, TID : 1812, Caller: $00400000 ( "KB823983 . exe") , BEFORE, typFileSysteiri. "FindFirstFilel 
PID:  1080,  TIE:  1812,  Caller:  S00400000  ("KB823983.exe")  ,  BEFORE,  typFileSystem.  "SetFileAttr itn 
PID: 1080, TID: 1312, Caller : S00400000 ("KB323933.exe") , BEFORE, typFileSystem. "DeleteFileU"  - 
PID : 1080, TID : 1812 , Caller : S77A30000 ( "CRYPT32 . dll") , AFTER, typRegistry . "RegOpenKeyExA"  -  - 
PID : 1080,  TID : 1812 , Caller : S77A80000 ( "CRYPT32 . dll") , AFTER, typRegistry. "RegEnimiKeyA"  -  <ei 
PID : 1080, TID : 1812 , Caller : $ 77A80000 ( "CRYPT32 . dll") , AFTER, typRegistry. "RegOpenKeyExA"  -  - 
PID : 1080, TID : 1812 , Caller : S77A80000 ( "CRYPT32 . dll") , AFTER, typRegistry. "RegOpenKeyExA"  -  - 
PID : 1080, TID : 1812 , Caller : S77A80000 ( "CRYPT32 . dll") , AFTER, typRegistry. "RegEnimiKeyA"  -  <ei 
PID : 1080,  TID : 1812 , Caller : $ 77A80000 ( "CRYPT3  2 . dll") , AFTER, typRegistry. "RegOpenKeyExA"  -  - 
PID : 1080, TID : 1812 , Caller : 5 77A80000 ( "CRYPT32 . dll") , AFTER, typRegistry. "RegEnimiValueU"  -  - 
PID : 1080, TID : 1812 , Caller : 5 77A80000 ( "CRYPT32 . dll") , AFTER, typRegistry. "RegOpenKeyExA"  -  - 
PID : 1080, TID : 1812 , Caller : S77A80000 ( "CRYPT32 . dll") , AFTER, typRegistry. "RegEnimiValueU"  -  - 
PID : 1080, TID : 1812 , Caller : S77A80000 ( "CRYPT32 . dll") , AFTER, typRegistry. "RegOpenKeyExA"  -  - 
PID : 1080, TID : 1812 , Caller : 577A80000 ( "CRYPT32 . dll") , AFTER, typRegistry. "RegOpenKeyExA"  -  ■ 
PID : 1080, TID : 1812 , Caller : 5 77A80000 ( "CRYPT32 . dll") , AFTER, typRegistry. "RegOpenKeyExU"  -  - 
PID : 1080, TID : 1812 , Caller : 5 77A80000 ( "CRYPT32 . dll") , AFTER, typRegistry. "RegOpenKeyExU"  -  - 
PID : 1080, TID : 1812 , Caller : S 77A80000 ( "CRYPT32 . dll") , AFTER, typRegistry. "RegOpenKeyExU"  -  - 
PID : 1080, TID : 1812 , Caller : S77A80000 ( "CRYPT32 . dll") , AFTER, typRegistry. "RegCreateKeyExU"  - 

Raw  CWSandbox  Output 


Python 

XSD 

Bindings 


CAction  Successful=rrtruerr  id=rr10rr  Action_Type  =  rrcopYrr  Name  =  rrcopy_f  ilerr> 
<D  e  s  c  r  ip  ti on/> 

<Action_Initiator  type  =  rrProcessrr> 

<Initiator_Name>KB823988 . exe</Initiator_Name> 
<Process_ID>1080</Process_ID> 

<Thr  e  ad_ID> 1 8 1 2< /Thr  e  ad_ID> 

< /Ac  ti on_Ini ti ato r> 

< Ac  t i on_Imp 1 eien t ati on> 

<API_Call> 

<Uame> C opyFi 1 eU< /Name> 

< AP I_C al  1_P ar ame ter  or dinal_p o s i ti on= rr  1  rr> 

<Uame> f i 1 e typ e< /Hame> 

< Value>  f i 1 e< /Yalue> 

</API_Call_Parameter> 

<  AP  I_C  al  1_P  ar  ame  ter  or  dinal_p  o  s  i  ti  on= rr  2  rr> 

<Uame> s r c f i 1 e< /Name> 

<Value>c :  UKB823988  .  exe</Value> 

<  /  AP  I_C  al  1_P  ar:  ame  te  r> 

<  AP  I_C  al  1_P  an  ame  ten  on  dinal_p  □  s  i  ti  on= rr  3  rr> 

<Hame> ds tf i 1 e< /Hame> 

<Value>C : \ \UIETD0US\ \ 3ystem32\ \ntos . exe</Value> 

< / AP I_C al 1_P ar  ame te r> 

< AP I_C  al  1_P  ar  ame  tec  or  dinal_p  □  s  i  ti  on= rr  4rr> 

<Uame>  ere  ati ondis  tr ibuti on< /Hame> 

< Value>  CRE ATE_ALWAY3< /Yalue> 

</API_Call_Parameter> 

<  AP  I_C  al  1_P  ar  ame  ter  or  dinal_p  o  s  i  ti  on= rr  5  rr> 

<Uame>  desire  dac  c  e  s  s< /Name> 

< Yalue>  FI LE_AHY_AC  CE  3  / Yalue> 

</API_Call_Parameter> 

<  AP  I_C  al  1_P  ar  ame  ter  or  dinal_p  o  s  i  ti  on= rr  6  rr> 

<Uame>f lags</Name> 

<  Yalue>  SE  CURITY_AU0NYM0US<  /  Yalue> 

</API_Call_Parameter> 

</API_Call> 

< /Ac  ti on_Imp 1 ementati on> 

- *MAEC  XML 

•MAEC  Actions 
•MAEC  Objects 

•MAEC  Behaviors 
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Collaboration 


CEE 


M/EC 


■  Related  Making  Security  Measurable  Efforts 

There  is  significant  overlap  between  MAEC,  CAPEC,  and  CEE  in 
describing  observed  actions,  objects,  and  states. 

As  such,  we’re  working  on  developing  a  common  schematic 
structure  of  observables  for  use  in  these  efforts: 


Object_Enumeration 
Type  Object_Enum 


0 - Object _Enum  j  © 


Action_Enumer  " 

Type  Action_L.  ^ 


)o 


Value_T  ype_Enumeration 
Type  ValueType Enum 


MITRE 
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MAEC  Community:  Discussion  List 


■  Request  to  join: 

http://maec.mitre.org/communitv/discussionlist.html 

■  Archives  available 


ft'  MAIL  ■  Malwnffl  Attribute  Enunwrailsb  >ind  Cl»*r«l»rlz4lton  forum  4  ithMIor  Hu  artMyt  -  Moult*  T  irfl-ov 

..  ea 

E*1  E*  ytfiy  «jw  Ban****;.  foaH  Hat 

Ml  -r  G?  til  ;  1 1  f  .1  EC  MjtptfATUK.rTifcB.aol^^ 

fty  -liar  ■  .-■  a:  a 

- 

*A  IF..  ■  Ytow  Ttoiwd  ?.'  MML  -  MbJwwb  Attribute  Lryutne...  y 

* 

M/EC 

Malware  Attribute  fenumoratwn  aod  Osaractorlutton 

A  Ataiwfardiaro  Inuqtinff*  far  MlrLhuh-  RduM  AMiidn  rJLiihflrTfryirraLirSH 

About 

L'touiftHMr 

MAEC  Ungqiiiir 

iWHnpr^ijP.- 


arch*** 

Nfvii  h  tif.nK 

Fry*  NtwtFsetei' 

f  n  ntri  rt  Lie 


Discussion  Archive 

Mikiftfl, w.tLE'jO' iU JHfctaUU&b  E,«£*ibi  Bunglml.  UtttfJ  FflflipUu 


MAEC  -  Malware  Attribute  Enumeration  and  Characterization 


Th,v  'grun.  •  ,•  jn  flthi¥a  lor  Chv  . .  MAeC'Diy€US5rOW-U5T#lltU.frt Hryvna  puvtvd  her.-  wn  Uv  tu  ”-t 

*railmo  ItGt 

M ji ■«  ji  u  Jut'j  fc i •  j Mur jUlii i  jnU  ChjrdCTLi'jjtiu'M.L’Sb'. .1 1.  -j  LldEDi-i.  .d  lar  Jhilt  Lpnrj  niiilwpru  tjj^ud  L.pc<“-  iU-  jQbp4fjt.ii.. 

MAEC  i=  ■  langi/Kajtorniit  mffignDH}  \ar  c=rrvma  hiQb  ie«*i  ^lEormaoan  Km?*.  mwiyare,  inftudlna  >&  iftcm,  dc'ro^.  itraci 
pwttnm';  MAFi*  tti»  3|iin  b»  V5*dtD  pncqpinast  FPTBrji  ijiglworo-cnp^cn  it  onLaiwratiane,  inriptfng  tmIwju-p  typps  (bunad  ppnn  Eppr.’fir  Tut-rqf 
eh#rfl|UWttri1S$  anr}  qfiilwi.il- 1’  rjhVf-TjiSr.l--. 

E&S3W 

Lf  ttow  Tcaic  LOoicj  Vjg w  %  PEdale  #  Oo[iaiJi3  t 


Eub-Fururrhi  Bt  Tupiu:!.  (:'■£  J 
_  MA£j~  uflflprfly  Kirillov,  ev .>n  a . 

.  sbsmaJircittfMa  -  ip  natwgrfcj&tobuttis  and  irtifrcii  b-  J5;e  nazaro 

tael  Hod  Jit.  nMjiinajr^  nttfi.  >^3  jirjjj  d  *v  jnsc 

Analu-as  Metadata?  by  Kihttiiv,  Ju*if  a. 

t'v  Pilgy  Pwtwr 
ftl-l^;yyfl.l  by  jLiie  ridi-brit! 


Pt?p1it?i.  Lail  l*tnl 

d  m  hy  Uinllpy,  I .  am  e, 

5  1  te&Jil  by  kiirtUoy,  tvarfv  4 

l  _  May  ?f)  ;r,  KirHIbv  i'j  ,ti .  * 

d  MaijJ  9n  hu  . . .  .  i  ... 

?  Mail  W  Sty  Huusei  -Ahdllfe? 

1  Mgy  12  i.  y  •  n  illuv  !  -.•-■  - 


tMJhfln  efflamateLmda  bv  j&* «  rtM*ne 

ft  i.  Man-  11  fcy  )CikA  rw? Anb 

:-t-  ■  ■teioH-.  '  ^  _  '  -•  hrthno’i  A  *  jHtll  d 
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MAEC  Community:  MAEC  Development 
Group  on  Handshake 


MITRE  hosts  a  social 
networking  collaboration 
environment: 

https://handshake.mitre.org 

Supplement  to  mailing  list 
to  facilitate  collaborative 
schema  development 

Malware  Ontologies  SIG 
Subgroup 
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Combine  elements  of  the  ecosystem  as 
practical  applications  to  support  secure 
software  operations 

Security  Content  Automation  Protocol  (SCAP) 
and  other  Automation  Protocols 
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Remembering  the  Acronyms 


What  IT  systems  do  I  have  in  my  enterprise? 

What  vulnerabilities  do  I  need  to  worry  about? 

What  vulnerabilities  do  I  need  to  worry  about 
RIGHT  NOW? 

How  can  I  configure  my  systems  more 
securely? 

How  do  I  define  a  policy  of  secure 
configurations? 

How  can  I  be  sure  my  systems  conform  to 
policy? 

How  can  I  be  sure  the  operation  of  my  systems 
conforms  to  policy? 

What  weaknesses  in  my  software  could  be 
exploited? 

What  attacks  can  exploit  which  weaknesses? 
What  should  be  logged,  and  how? 

How  can  I  aggregate  assessment  results? 
How  can  we  recognize  malware? 


CPE  (Platforms) 

CVE  (Vulnerabilities) 

CVSS  (Scoring  System) 

CCE  (Configurations) 

XCCDF  (Configuration  Checklists) 
OVAL  (Assessment  Language) 
OCIL  (Interactive  Language) 


CWE  (Weaknesses) 
CAPEC  (Attack  Patterns) 
CEE  (Events) 


ARF  (Results) 


MAEC  (Malware  Attributes) 
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Standardization  Efforts  leveraged  by  the 
Security  Content  Automation  Protocol  (SCAP) 


What  IT  systems  do  I  have  in  my  enterprise? 

What  vulnerabilities  do  I  need  to  worry  about? 

What  vulnerabilities  do  I  need  to  worry  about 
RIGHT  NOW? 

How  can  I  configure  my  systems  more 
securely? 

How  do  I  define  a  policy  of  secure 
configurations? 

How  can  I  be  sure  my  systems  conform  to 
policy? 

How  can  I  be  sure  the  operation  of  my  systems 
conforms  to  policy? 

What  weaknesses  in  my  software  could  be 
exploited? 

What  attacks  can  exploit  which  weaknesses? 
What  should  be  logged,  and  how? 

How  can  I  aggregate  assessment  results? 
How  can  we  recognize  malware? 


CPE  (Platforms) 

CVE  (Vulnerabilities) 
CVSS  (Scoring  System) 
CCE  (Configurations) 


XCCDF  (Configuration  Checklists) 
OVAL  (Assessment  Language) 
OCIL  (Interactive  Language) 


CWE  (Weaknesses) 

CAPEC  (Attack  Patterns) 

CEE  (Events) 

ARF  (Results) 

MAEC  (Malware  Attributes) 
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SCAP  -  FDCC  and  USGCB 


EXECUTIVE  OFFICE  OF  THE  PRESIDENT 
OFFICE  OF  MANAGEMENT  AND  BCD  GET 
WASHIi|OT(JW.  D.-C,  2G5G3 


June  l,  2007 


tt-07-TB 
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FROM: 
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August  1 1, 2008 
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MEMORANDUM  FOR  THE  CHIEF  INFORMATION  OFFICERS 


ns  '  V 

r  / 


KaretiS.  Evans ✓ 

Administrator  " 

E-Government  and  Information  Technology 


SUBJECT:  Guidance  on  the  Federal  Desktop  Cere  Configuration  {FDCC) 


In  March  2007,0MB  Memorandum  M4)7- !  I  announced  the  "Implementation  of  Commonly 
Accepted  Security  Configurations  for  Windows  Operating  Systems,”  directing  agencies  with 
Windows  XF  ns  deployed  and/or  plan  to  upgrade  to  the  Vista  ™  operating  system  to  adopt  the 
Federal  Desktop  Core  Configuration  {FDCC)  security  configurations  developed  by  the  National 
Institute  of  Standards  and  Technology  (NIST),  the  Department  of  Defense  (DoD)  and  the 
Department  of  Homeland  Security  {DHS). 

On.  June  20,2008,  NIST  published  the  updated  Federal  Desktop  Core  Configuration  Major 
Version  1.0  settings  release.  Relative  to  the  previous  version  of  FDCC  which  was  originally 
posted  in  July  2007,40  settings  have  changed.  Changes  were  derived  from  public  comment 
during  the  April  and  May  2008  public  comment  periods,  analysis  of  the  March  3 1 , 2008,  Agency 
FDCC  reports  and  subject  matter  expertise.  FDCC  Major  Version  1 .0  settings  are  available  at 
httg^ijivd^nist .aov/fdcc/downloatLfdcc.cfm . 

Federal  Desktop  Core  Configuration  Mayor  Version  1 .15 


FDCC  Major  Version  1 .0  is  based  on  Microsoft  Wrindows  XP  Service  Pack  {SP)  2  and  Microsoft 
Windows  Vista  SP  1.  Although  Security  Content  Automation  Protocol  (SCAP)  Content  has 
been  engineered  so  tliat  it  will  also  operate  on  Windows  XP  5P3.  near-term  Windows  XP  patch 
checking  will  be  oriented  toward  Windows  XP  SP2.  It  is  understood  that  many  managed 
environments  duoughout  the  Federal  government  implement  service  packs  shortly  after  their 
release.  While  near-term  Windows  XP  checking  is  based  on  Windows  XP/SP2,  we  do  not 
anticipate  any  significant  measurement  issues  for  Windows  XP/SP3.  NIST  Is  currently  working 
with  IT  product  vendors  to  develop  additional  SCAP  Content  based  on  the  FDCC  settings  for 
other  platforms  and  applications. 

To  coincide  with  the  release  of  FDCC  Major  Version  1 .0,  new  SCAP  Content  lias  also  been 
made  available.  This  SCAP  Content  is  inclusive  of  the  40  FDCC  settings  changes.  At  this  time, 
the  FDCC  is  comprised  of  settings  located  at  http://fdccjiLst.goY  tliat  can  be  checked  using  die 
updated  SCAP  Content  and  SCAP- validated  tools  with  FDCC  Scanning  capability  as  specified 
on  the  NEST  website  at  http  ://nvd.nist japy/seapproducts  .cfm.  Not  all  FDCC  settings  can  be 
checked  using  automated  scanning  tools.  NIST  is  coordinating  die  refinement  of  SCAP  Content 


UINI^LAOOir  llzu 


National  Checklist  Program 

GATS'S®  http://nvd.nist.gov/ncp.cfm?repository 


Sponsored  by  .  // 

DHS  National  Cyber  Security  DrvIsion/US-CERT 


IMIST 


National  Vulnerability  Database 

automating  vulnerability  tnanagerih^fft^fE^^^rity  measurement,  and  compliance  checking 


Vulnerabilities 
Home  ISAP/SCAP 


I  Product  Dictionary 


SCAP  Validated  Tools 


SCAP  Even 


NVD  is  the  U.S.  government 
repository  of  standards  based 
vulnerability  management  data.  This 
data  enables  automation  of 
vulnerability  management,  security 
measurement,  and  compliance  (e.g. 
FISMA). 


NVD  contains: 

150  Checklists 
132  US  CERT  Alerts 
2150  US  CERT  Vuln  Notes 
3171  OVAL  Queries 

Last  updated:  02/20/08 
CVE  Publication  rate: 

18  vulnerabilities  /  day 


NVD  provides  four  mailing  lists  to  the 
pubKc.  For  information  end 
subscription  instructions  please  visit 
NVD  Hailing  Lists 


REPORTA  VULNERABILITY  Q 
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Impact  Metrics 
s  About 
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Data  Feeds  Statistics 

Contact  Vendor  Comments 


NCP  contains  150  checkHsts  covering  1 
Keyword  Search: 

(try  a  checklist  or  product  name) 


w  only  SCAP  and  FDCC  subsets  of  the  checklist  re| 


Recent  updates  (includes  updates  from  the  last  6  months) 

The  symbol  ©denotes  newly  added  checklists 
The  symbol  ^ i 


□  is  a  p-oduct  of  tne  NIET 
Compute'  Security  Division  and  is 
sponsored  by  the  Department  of 
Homeland  Security's  National  Cvoer 
Security  Division,  It  suppo-ts  tne 
U.S.  government  multi-agency  (OSD. 
DHS.  NSA.  PISA,  and  NIST) 
Information  Security  Automation 
Program.  It  is  the  U.S.  government 
content  repository  for  the  Security 
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SCAP-Based  FDCC  Reporting 


Operations  Security  Management  Processes 
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Other  Automation  Protocols  Can  Capture  the 
Government  Use  Cases... 


■  Enterprise  System  Information  Protocol  (ESIP) 

-  For  reporting  of  asset  inventory  information.  Common  Platform 
Enumeration  (CPE),  etc. 

■  Threat  Analysis  Automation  Protocol  (TAAP) 

For  reporting  and  sharing  structured  threat  information.  Malware 
Attribute  Enumeration  &  Characterization  (MAEC),  Common  Attack 
Pattern  Enumeration  &  Classification  (CAPEC),  Common  Platform 
Enumeration  (CPE),  Common  Weakness  Enumeration  (CWE),  Open 
Vulnerability  and  Assessment  Language  (OVAL),  Common 
Configuration  Enumeration  (CCE),  and  Common  Vulnerabilities  and 
Exposures  (CVE). 

■  Event  Management  Automation  Protocol  (EMAP) 

-  For  reporting  of  security  events.  Common  Event  Expression  (CEE), 
Malware  Attribute  Enumeration  &  Characterization  (MAEC),  and 
Common  Attack  Pattern  Enumeration  &  Classification  (CAPEC). 
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Other  Automation  Protocols  Can  Capture  the 
Government  Use  Cases..  .(concluded) 


■  Incident  Tracking  and  Assessment  Protocol  (ITAP) 

For  tracking,  reporting,  managing  and  sharing  incident  information.  Open 
Vulnerability  and  Assessment  Language  (OVAL),  Common  Platform 
Enumeration  (CPE),  Common  Configuration  Enumeration  (CCE),  Common 
Vulnerabilities  and  Exposures  (CVE),  Common  Vulnerability  Scoring  System 
(CVSS),  Malware  Attribute  Enumeration  &  Characterization  (MAEC),  Common 
Attack  Pattern  Enumeration  &  Classification  (CAPEC),  Common  Weakness 
Enumeration  (CWE),  Common  Event  Expression  (CEE),  Incident  Object 
Description  Exchange  Format  (IODEF),  National  Information  Exchange  Model 
(NIEM),  and  Cybersecurity  Information  Exchange  Format  (CYBEX). 

■  Enterprise  Remediation  Automation  Protocol  (ERAP) 

For  automated  remediation  of  mis-configuration  &  missing  patches.  Common 
Remediation  Enumeration  (CRE),  Extended  Remediation  Information  (ERI), 
Open  Vulnerability  and  Assessment  Language  (OVAL),  Common  Platform 
Enumeration  (CPE),  and  Common  Configuration  Enumeration  (CCE). 

■  Enterprise  Compliance  Automation  Protocol  (ECAP) 

For  reporting  configuration  compliance.  Asset  Reporting  Format  (ARF),  Open 
Checklist  Reporting  Language  (OCRL),  etc. 
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MITRE,  in  collaboration  with 
government,  industry,  and 
academic  stakeholders,  is 
improving  the  measurability  at 
security  through  enumerating 
baseline  security  data, 
providing  standardized 
languages  as  means  for 
accurately  comm  uncarting  the 
informaton.  and  encouraging 
the  shanrtg  at  the  information 
with  users  by  developmg 
repositories 

The  other  actrvrlies  and 
initiatives  listed  here  have 
simitar  concepts  or  compatible 
approaches  to  MITRE's 
Together  all  of  these  efforts  are 
helping  to  make  security  more 
measurable  by  defining  the 
concepts  that  need  to  be 
measured,  providing  for  high 
Fidelity  communications  about 
the  measurements,  and 
providing  for  sharing  of  the 
measurements  and  the 
definitions  of  what  to  measure 


a  VJneratulry  Management 
■  Intrusion  Detection 


*  Asset  Security  Asaearnwrl 
■  Aseet  Management 


■  Configuration  Guitfcnce 

■  Pete*  Vanagemenl 


Home  |  About  |  Current  Collector  |  Incubator  I  Events  A  Paitooebur  |  Feedback  Requested 


■  Malware  Response 

■  Incident  Management 


Enumerations 


/TL  §mm  Common  vulnerabilities  and  Exposures  1CVE80  -  common 
vimerab;  ty  denbfers 

C7F  Common  Weakness  Enumeration  iCWE  ’** )  •  list  ot  software 
:/  Vfc  weakness  Types 

fAPTr  Common  Attack  Pattern  Enumeration  and  Classification  iCAPEC 
•  st  ot  common  attac*  patterns 

Common  Configuration  Enumeration  ICCE’*)  -  common  security 
configuration  identifiers 

'  •  '^OC  Common  Platform  Enumeration  iCPE  '**)  -  common  ptatlorm 
,Vrt  »denbf<rs 

CWE/SANS  Top  25  -  consensus  1st  ot  fw  25  most  dangerous  programming  errors 

Center  tor  Internet  Secuntv  (C'S)  Consensus  Securiy  Metrics  Definitions  -  set  of 

stanoard  metres  and  data  definitions  mat  can  ce  usee  across  organ  zat>crs  to 
oollect  and  analyze  data  on  secv/ity  process  performance  and  outcomes 

twenty  Most  important  Conlrob  and  Metrics  for  Effective  Cyber  Defense  and 

Ccotnuous  HSMA  Ccrrp  ance  -  twenty  key  actions  or  security  *contrps*  mat 
orgamzatens  must  take  to  block  or  mitigate  known  and  reasonably  expected 
attacks 

SANS  loo  Twenty  -  SANS'*  Bi  consensus  *st  of  me  Twenty  Most  Cnteai  Internet 
Security  Vulnerabilities  that  uses  CVE-lDs  to  identify  the  issues 

OWASP  Too  Ten  -  ten  most  critical  Web  apptcation  security  Raws 

WASC  Web  Security  Threat  Clasafication  -  list  of  Web  security  threats 


Ooen  VuneraPitv  and  Assessment  Language  {OVAL^  t  •  standard 


KEE 


•  tor  determining  vulnerabiMy  and  configuration  issues 

Common  Event  Expression  (CEE  w  I  •  standardizes  the  way 
computer  events  are  described  logged,  and  exchanged 


om 


Repositories 


OVAL  Repository  -  community-developed  OVAL  Vulnerability. 
Comp  ance.  Inventory,  and  Patch  Definitions 


M/SrC  Maw  are  Attribute  Enumeration  and  Charactenzaoon  (MAEC  w )  - 
- —  standardized  language  for  attnbule-based  malware  characterization 

Benchmark  Development  -  resources  tor  creating  standards-based  structured,  and 
automatable  security  gudence 

OVAL  interpreter  -  free  toot  for  collecting  information  for  testing,  carrying  out  OVAL 
Defimbons  and  presenting  results  of  the  tests 

Benchmark  Eaior11*  -  tree  tool  mat  emances  and  simplifies  creator  and  editing  ot 
benchmark  documents  written  in  XCCDF  and  OVAL 

Recommendation  Tracker'*  -  free  tod  that  facilitates  the  development  ot  automated 
security  benchmarks 

Extensible  Configuration  Checklist  Desorption  Format  (XCCDF)  -  speofication 
language  tor  uniform  expres&on  of  secunty  checkksts.  benchmarks  and  other 
configuration  guidance 

Open  Checklist  Interactive  Language  iQClLt  -  standardized  language  tor 
expressing  and  evaluating  non- automated  secunty  checks 

Common  Viinerabury  Soonno  System  (CVSS)  -  open  standard  that  oonveys 
vulnerability  severity  and  helps  detemwe  urgency  and  pnonty  of  response 

Pofccy  Language  for  Assessment  Results  Reporting  iPLARRl  -  language  for 
reauesong  it  asset  assessment  results  trom  tools,  databases,  and  other  products 

Assessment  Results  r-omrat  (AHF )  -  open  language  tor  exchanging  per-dewoe 
assessment  results  data  between  assessment  locus,  asset  databases  and  other 
products  that  menage  asset  n formation 

Assessment  Summary  Results  lASR)  -  language  for  exchanging  summarized 
assessment  results  data 


National  Vulnerability  Database  (NVDi  -  U.S.  vulnerably  database  based  on  CVE 
that  ntegrates  al  publicly  avaiable  vulnerability  resources  and  references 

NIST  Secunty  Content  Automaton  Protoopl  iSCAP)  -  security  content  for 
automating  technical  control  comptance  activities  vulnerability  checking,  and 
security  measurement 

Red  Hal  Repository  •  OVAL  Patch  Deflations  corresponding  to  Red  Hat  Errata 
security  adwsones 

Novell  Repository  •  OVAL  Oefnbon*  tor  SUSE  Linux  Enterprise  compliance 
checking 

Petxan  Repository  -  OVAL  Definitions  corresponding  to  Debtan  security  advisories 

National  Checklist  Program  Repository  -  U.S  government  repository  of  pubkefy 
eva  able  secunty  cneck-stvbenchfrarks 

Center  for  internet  Secunty  (CIS)  Benchmarks  -  best-practice  secunty 
configurations  accepted  for  comp  ance  with  FISMA.  the  ISO  standard  GLB.  SOx 
HIPAA.  and  FIRPA  and  other  regulatory  raquirements  for  n formation  secunty 

PISA  Secuntv  Technical  implementation  Guides  (STiCSl  -  U.S  Defense 
Information  Systems  Agency's  (DISA)  STIGS  are  configuration  standards  for  DOD 
rformation  assurance  arc  nfermaber  assuranoe-enabed  devices  and  systems 

Common  Frameworks  tor  VuneraNiry  Q-sdosure  and  Response  ICVHF !  -  standard 
format  tor  reportng  and  sharing  vulnerability  nformalion  among  mptipe 
organizations 

Federal  Desktop  Core  Conkaurabon  (FPCC1  -  OMB-mandated  security 
configi/abon  for  Microsoft  Windows  Vista  and  XP  operating  system  software 

United  States  Government  Confipuraton  Baseline  IUSGCB1  -  secunty  configuration 
baselines  tor  IT  products  deployed  across  leoerai  agences 


View  the  current  collection  of  organizations,  activities,  and  initiatives. 
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